New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 633096 link

Starred by 1 user
Status: WontFix
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: unexpected behaviour in CSP enforcement

Reported by alvise.r...@unive.it, Aug 1 2016 
VULNERABILITY DETAILS
a CSP policy like:
img-src www.example.com;
is enforced differently than a policy like:
img-src www.example.com; default-src *;
At the moment, in Chromium, the first policy allows the execution of inline scripts, while the second does not allow it
According to CSP specification ( https://www.w3.org/TR/CSP2/#directive-default-src ) both policies should block the execution of inline scripts: the fact that the first one has no default-src should cause it to fallback on a default-src of *, behaving exactly like the second one

VERSION
Chrome Version: 51.0.2704.79 stable
Operating System: Ubuntu 16.04 (64-bit)

REPRODUCTION CASE
Please visit https://www.dsi.unive.it/~rabitti/csptests/inline_with_star_1.php to reproduce the bug

Comment 1 by rickyz@chromium.org, Aug 1 2016

Components: Blink>SecurityFeature
Labels: Security_Severity-Low Security_Impact-Stable OS-All
Owner: mkwst@chromium.org
Status: Assigned (was: Unconfirmed)
Mind taking a look/assigning to the right folks, mkwst@?
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 2 2016

Labels: Pri-2

Comment 3 by mkwst@chromium.org, Aug 24 2017

Components: Blink>SecurityFeature>ContentSecurityPolicy

Comment 4 by mkwst@chromium.org, Sep 19 2017

Status: WontFix (was: Assigned)
I'm a bit embarassed that I haven't touched this in almost a year. Sorry about that. :(

Closing this as `WontFix`. The behavior is intentional: if a policy does not explicitly specify a policy for scripts, we're not going to block anything. We chose that stance in order to enable directives like `sandbox` or `upgrade-insecure-requests` that don't in themselves affect script execution. That is, `Content-Security-Policy: upgrade-insecure-requests` shouldn't block inline script or blob resources. In other words, the default isn't `default-src *`, but something more like `default-src * 'unsafe-inline' 'unsafe-eval' data: blob: filesystem: ...`.

Happy to discuss this further in a bug filed against CSP if you're really unhappy with the behavior.
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 26 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment